entrouvert/wcs
entrouvert
/
wcs
14
1
Fork 0
Code Issues Pull Requests 35 Releases Activity

saml2: only allow local URLs as redirections (#43279)

This commit is contained in:
Frédéric Péters 2020-05-25 17:32:52 +02:00
parent 66de9cdd5c
commit 05c1573e38
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
tests/test_saml_auth.py
View File

@ -18,6 +18,7 @@ from wcs.qommon.misc import get_lasso_server
from wcs.qommon.saml2 import Saml2Directory from wcs.qommon.saml2 import Saml2Directory
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
from wcs.qommon import sessions, x509utils from wcs.qommon import sessions, x509utils
from wcs.qommon.errors import RequestError
from wcs.roles import Role from wcs.roles import Role
from utilities import get_app, create_temporary_pub, clean_temporary_pub from utilities import get_app, create_temporary_pub, clean_temporary_pub
@ -303,12 +304,21 @@ def test_assertion_consumer_redirect_after_url(pub):
def test_assertion_consumer_full_url_redirect_after_url(pub): def test_assertion_consumer_full_url_redirect_after_url(pub):
req = get_assertion_consumer_request(pub) req = get_assertion_consumer_request(pub)
req.form['RelayState'] = 'http://example.org/foobar/?test=ok' req.form['RelayState'] = 'http://example.net/foobar/?test=ok'
saml2 = Saml2Directory() saml2 = Saml2Directory()
saml_response_body = req.form['SAMLResponse'] saml_response_body = req.form['SAMLResponse']
body = saml2.assertionConsumerPost() body = saml2.assertionConsumerPost()
assert req.response.status_code == 303 assert req.response.status_code == 303
assert req.response.headers['location'] == 'http://example.org/foobar/?test=ok' assert req.response.headers['location'] == 'http://example.net/foobar/?test=ok'
def test_assertion_consumer_external_url_redirect_after_url(pub):
req = get_assertion_consumer_request(pub)
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
saml2 = Saml2Directory()
saml_response_body = req.form['SAMLResponse']
with pytest.raises(RequestError):
body = saml2.assertionConsumerPost()
def test_saml_login_page(pub): def test_saml_login_page(pub):

3
wcs/qommon/saml2.py
View File

@ -355,6 +355,9 @@ class Saml2Directory(Directory):
netloc = parsed_url.netloc or request.get_server() netloc = parsed_url.netloc or request.get_server()
after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query, after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
parsed_url.fragment)) parsed_url.fragment))
if not (after_url.startswith(get_publisher().get_backoffice_url()) or
after_url.startswith(get_publisher().get_frontoffice_url())):
raise errors.RequestError()
else: else:
after_url = get_publisher().get_frontoffice_url() after_url = get_publisher().get_frontoffice_url()
response.set_status(303) response.set_status(303)